Airzero Sec

We Do Not Give Up ! Trust US !

Uncategorized

Topics that don't need a category, or don't fit into any other existing category

A previously unknown firmware implant used in a targeted espionage campaign to maintain stealthy persistence has been linked to the Chinese-speaking Winnti advanced persistent threat group (APT41).

The rootkit, codenamed MoonBounce by Kaspersky, was described as the "most advanced UEFI firmware implant discovered in the wild to date," with the implant's "purpose being to facilitate the deployment of user-mode malware that stages performance of further payloads downloaded from the internet."

Firmware-based rootkits, once uncommon in the threat landscape, are quickly becoming lucrative tools for sophisticated actors seeking to establish a long-term foothold in a way that is not only difficult to detect but also difficult to remove. MoonBounce is worrisome for a variety of reasons. Unlike FinFisher and ESPecter, which target the EFI System Partition (ESP), the newly discovered rootkit, along with LoJax and MosaicRegressor, targets the SPI flash, a non-volatile storage device external to the hard drive.

By embedding such persistent bootkit malware within the flash storage soldered to a computer's motherboard, the mechanism renders it impossible to remove via hard drive replacement and even resistant to re-installation of the operating system.

According to the Russian cybersecurity firm, the presence of the firmware rootkit was discovered in a single incident last year, indicating the highly targeted nature of the attack. However, the precise mechanism by which the UEFI firmware was infected is unknown.

The fact that an existing firmware component was tampered with to alter its behaviour — rather than adding a new driver to the image — adds to its stealthiness, with the goal of diverting the execution flow of the boot sequence to a malicious attack sequence that injects the user-mode malware during system startup, which then connects to a hardcoded remote server to retrieve the next-stage payload.

"The infection chain itself goes no traces on the hard drive, as its components operate in memory only, enabling a fileless attack with a small footprint," the researchers explained, adding that they discovered other non-UEFI implants in the targeted network communicating with the same infrastructure that hosted the staging payload.

Among the components deployed across multiple network nodes are a backdoor known as ScrambleCross (aka Crosswalk) and a number of post-exploitation malware implants such as Microcin and Mimikat ssp, indicating that the attackers moved laterally after gaining initial access in order to exfiltrate data from specific machines.

In an independent analysis, cybersecurity firm Binary discovered that the MoonBounce UEFI component was created in 2014 for target hardware related to an MSI system and that the malware could have been delivered to the compromised machine via physical access or software modifications caused by a lack of adequate SPI protections.

To counteract such firmware-level modifications, it is recommended that the UEFI firmware be updated on a regular basis, as well as that security features such as Boot Guard, Secure Boot, and Trust Platform Modules be enabled (TPM). "MoonBounce describes a certain change in this group of threats by offering a more detailed attack discharge in comparison to its ancestors, as well as a higher level of technical competence by its authors, who demonstrate a thorough understanding of the finer details involved in the UEFI boot process," the researchers wrote. If you have any questions and concerns about the above topic, please contact Airzero sec through the given Email.

Email:[email protected]

Researchers have discovered two serious security holes in the Control Web Panel that might be used as part of an attack chain to execute pre-authenticated remote code on affected servers.

The vulnerability, identified as CVE-2021-45467, is a file inclusion vulnerability that occurs when a web application is tricked into exposing or running arbitrary files on the webserver.

Control Web Panel, formerly CentOS Web Panel, is a free and open-source Linux control panel software used to set up web hosting environments.

According to Octagon Networks' Paulos Yibelo, who discovered and reported the flaws, the problem arises when two of the application's unauthenticated PHP pages — "/user/login.php" and "/user/index.php" — fail to sufficiently validate a way to a script file.

This means that all an attacker needs to do to exploit the vulnerability is change the include statement, which is used to include the content of one PHP file into another PHP file, to infiltrate malicious code from a sheltered resource and gain code execution.

While the application had protection in place to flag tries to switch to a parent directory as a "hacking attempt," it did nothing to avert the PHP interpreter from receiving a specially formulated string such as ".$00." and actually performing a full bypass.

This not only permits a bad actor to gain entry to restricted API endpoints but it can also be combined with an arbitrary file write vulnerability (CVE-2021-45466) to gain full remote code execution on the server, as shown below —

  • Send a file inclusion payload powered by null bytes to include the malicious API key.
  • To register to a file, utilize the API key (CVE-2021-45466)
  • Include the file we just constructed in (CVE-2021-45467)

If you have any concerns about Critical flaws in the Control Web Panel, please contact us. Please contact Airzero sec if you have any questions or concerns.

Email:[email protected]

In IT operations, guaranteeing secure and reliable information over different networks is a critical necessity. IT administrators have to rely on different protocols, networking most suitable practices, and network monitoring devices to ensure the flow of data in a network meets various standards for security and Quality of Service. One of these general practices is known as packet sniffing, which supports IT administrators, in keeping track of packets and ensuring they’re assigned smoothly. While the packet sniffing method is often connected with cyberattacks, it’s usually used by internet service providers, government agencies, advertisers, and even big companies for network monitoring. In this blog, we’ll examine packet sniffing in particular and also explore frequently used accessories by IT practitioners.

What Are Packets, And Why Do We Need Packet Sniffers?

All networks consist of various components, such as workstations, servers, networking hardware, and more. In the networking terminology, all these elements are called nodes. A healthy network combination guarantees the data between these nodes is transported reliably and at an adequate speed according to the bandwidth and throughput of the network. While most of the popular networks have physical or nervous connections, new networks are a mix of physical and wireless attachments. However, the thoughts of data transfer in all such networks remain the same. In networking, the data is sold in the form of packets, or small pieces of data. These packets vary in their format, depending on the network protocol. In addition to the original message or data, all packets include control information designed to help in the transfer of packets from source to target. The control data is needed as packets intended to be transferred to a specific node often pass through various nodes in a network and can end up at the wrong node. The control data includes IP addresses of the sender and the recipient, packet sequencing data, and more to secure packets to reach the right end. However, the removal of packets in a network can get disturbed due to various issues and network errors.

In protocols like TCP, there’s no inherent mechanism to obtain the packets lost in transmission. However, network engineers use the protocol in only fault-sophisticated networks, where needs below certain thresholds are adequate and don’t influence communication. However, in protocols like UDP, the sender proceeds to resend the packet till it takes the letter of receipt from the receiver. While it combines reliability with transmission, it also increases resource damage. If left unchecked, it can start important delays in overall transmission rates. This is where packet sniffers offer a solution.

With a packet sniffer, sometimes also called a packet analyzer, network administrators can control their network traffic and gain important insights about their support and its appearance. It allows them to hold the traffic flow in a network and also recognize which applications are using the maximum bandwidth.

How Do Packet Sniffers Work?

As explained above, when a sender transmits data packets, the packets pass through various nodes in a network. Each network adapter and the connected device measure a packet’s control data to see what node the packet is headed toward. Under normal circumstances, if a node finds the packet is directed to some other node, it drops or neglects the packet. However, in packet sniffing, certain nodes are added to not follow this regular practice and get all or a limited sample of packets, irrespective of their target address. The packet sniffers use these packets for the analysis of a network.

Depending on who’s using the packet sniffers, it can have both real and negative use cases. Intimidation actors can obtain critical data from unencrypted communications. Many times users logging into websites over unencrypted communication expose their credentials in plain text, which can be easily prevented by packet sniffers. However, packet sniffing also provides many benefits we’ll discuss later in this blog.

What are the different types of packet sniffers?

There are two important types of packet sniffers:

Hardware Packet Sniffers

As the name implies, it’s a hardware element plugged into a network for packet sniffing or network analysis purposes. Hardware packet sniffers are generally used when network managers have to analyze or monitor a distinct segment of a large network. With a physical connection, these packet sniffers provide administrators to ensure all packets are taken without any loss due to routing, filtering, or any other network issue. A hardware packet sniffer can have the ability to save the packets, or they can be added to forward all captured packers to a centralized location for further analysis.

Software Packet Sniffers

Software Packet Sniffers are the more general type of packet sniffers used by many companies. Every computer or node attaches to the network using a Network Interface Card, which is usually configured to neglect the packets not addressed to it. However, a Software Packet Sniffer develops this behaviour, so one can take every bit of network traffic for analysis. The NIC configuration is known as promiscuous mode. The volume of data collected depends on whether the packet sniffer is set in filtered or unfiltered mode.

Depending on the volume and complexity of a network, various packet sniffers might be needed to monitor and analyze a network efficiently. This is because a network adapter can only receive traffic from one side of a switch or a router. Similarly, in wireless networks, most network adapters can relate to only a single channel at a given time. To obtain packets from other channels, one has to install various packet sniffers.

Top 5 Benefits Of Packet Sniffing

  1. Detecting the Root Cause of a Network Issue
  2. Troubleshooting Network Issues
  3. Traffic Analysis
  4. Bandwidth Management
  5. Network Security and Compliance

Detecting the Root Cause of a Network Issue

Today, in most business networks, there are various user groups and applications, along with a blended mix of legacy and next-gen networking devices. Ensuring all applications and servers work without any performance bottlenecks is a large task. When an application or a setting experiences an effect, it can be a challenging business to identify which network or application segment is responsible for the slowdown. This is why network executives monitor their networks continuously for legitimate support and optimization. With packet sniffers, they can collect data from all points of their network to quickly acknowledge the components accountable for latency, jitters, or packet loss.

Troubleshooting Network Issues

Whenever IT teams support tickets compared to network connectivity, they can make a PCAP review to include the answer times or latency in a network. It helps in determining the amount of time a packet needs to travel from a sender to a receiver. With this investigation, teams can identify congested links, know the applications making an incredible amount of traffic, and take corrective actions to resolve the issue. Using modern Wi-Fi packet sniffers, teams can get special metrics for several access points and wireless controllers. Many excellent network monitoring tools offer supplementary features for fault, display, and network availability monitoring. It’s also possible to associate network data across the stack and deliver hop-by-hop network path analysis to troubleshoot network issues and reduce network downtime.

Traffic Analysis

IT teams can also collect the packet data for predictive analysis. They can visualize this data to detect the peaks and troughs in network demand over longer periods. Using advanced IP sniffers and packet analyzers, they can categorize the data based on destination server IP addresses, ports involved in communication, the volume of traffic, and more. With all this analysis, it’s possible to distinguish critical traffic from non-business traffic. Also, IT administrators can filter and flag suspicious content.

Bandwidth Management

Slow or recurrent networks can significantly influence business productivity and lead to large damages. Businesses rely on forwarding network monitoring tools to avoid such issues. However, most of these methods also rely on packet sniffing to analyze the traffic in a network. Packet sniffers help in stopping the abuse of the network by both domestic and external users. As explained above, with traffic analysis, IT teams can quickly identify the traffic flow and WAN bandwidth utilization, any unusual rise in network usage, and more. Furnished with this data, they can prioritize bandwidth allocation for mission-critical applications, and even restrict certain applications.

Network Security and Compliance

It’s not unusual for threat actors to infiltrate an initiative network and negotiate delicate data. However, their results can also continue to be saved for a long period, and many times they use established malware to make wicked use of enterprise resources. Monthly traffic analysis allows the discovery of any unusual rise in outbound traffic flow. Packet sniffers help in identifying a surge in traffic, strive at network intrusion, and allow deeper evaluation and reduction of security warnings. They help in examining the status of WAN and endpoint defence systems. Packet sniffers also help in administrative compliance documentation by logging all of the edge and endpoint traffic. Moreover, with packet sniffers, protection teams can test the effectiveness of their safety setup consisting of several firewalls, web filters, WAF, IPS/IDS systems, and more.

What Are The Best Practices For Packet Sniffing?

There are many network monitoring tools allowing packet sniffing characteristics. You can also see many open-source purposes for packet sniffing. It’s reasonable to choose one of these packet sniffers, set the NIC to promiscuous mode, and start obtaining packets from a network. However, before leaping into battle, you must know how to make the greatest of packet sniffing techniques, without endangering your network. Here are some of the best practices for getting started:

Understand Your Monitoring Requirements

While various network monitoring tasks are automated today, IT practitioners still rely on heuristics and manual analysis to detect issues and resolve network problems. A strong understanding of networking concepts is essential for network monitoring. When using a packet sniffer, experienced teams often opt for the filtered mode to capture only the specific data from the packets. Receiving all packet data and not knowing what data is important for analysis can lead to data overload.

Bolster Security

All packets contain control data and the actual data or payload through the data transmission. It’s essential to ensure the payload is encrypted during all data transfers, as packet sniffers can also take this data, and any sensitive data can accidentally get opened if encryption isn’t in place. As an added layer of protection, IT teams can configure their packet sniffers to represent only the header data as it’s enough for most of the network monitoring and analytics.

Implement Packet Sampling

While checking the packet sniffing to packet headers decreases workload and storage conditions, it can still manage a large amount of data and fill up disk space quickly. Packet sampling can assist in determining this challenge. Instead of gathering data from every packet, IT teams can follow packet data at set rates. While this sampling may not give the most detailed picture, it provides satisfactory results over longer periods of checking.

What Are The Top 8 Packet Sniffers?

  • SolarWinds Network Performance Monitor
  • ManageEngine NetFlow Analyzer
  • PRTG Network Monitor
  • Wireshark
  • Tcpdump
  • OmniPeek Network Protocol Analyzer
  • NetworkMiner
  • Colasoft Capsa

If you have any doubt about the packet sniffers don’t hesitate to contact us through the given email. Airzero Sec will be your digital solution. Email: [email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

In this blog, we are going to be looking at a hack attack called deauthentication. In my humble opinion, when a hacker learns about a new attack, he or she has the obligation to also learn how to prevent it. So, this is not going to be a simple how-to, this blog will be divided into 4 parts:

  1. What is a Deauth Attack?

  2. Why would you want to attack in that way?

  3. How to do it?

  4. How to prevent the attack and take the necessary precautions?

What is a Deauth Attack?

Deauthentication is a kind of rejection of service attack that targets communication between a user and a Wi-Fi point.

This gives disassociate packets to one or more customers which are currently combined with a particular access point. Of course, this is fully useless if there are no wireless consumers or fake authentications.

The cool thing about this initiative is that where all networks are using WPA2 encryption you can simply deauth anything or anyone without even being inside the network.

Why does a deauth attack work on WPA2 encryption?

The method of encryption in 802.11 is limited to information payloads only. Encryption does not refer to the 802.11 frame headers, and cannot do so as key components of 802.11 headers are required for normal operations of 802.11 traffic.

Since 802.11 control frames largely work by setting data in the headers, management frames are not encrypted and as such are regularly spoofed.

Why would a person attack a network in that way?

A deauth offence is, most of the time, a step of a more inclusive attack! Hackers are usually required to deauth a client off of a network so they can:

  • Capture WPA/WPA2 4-Way Handshakes by pushing a user to reconnect to the network.
  • Force users to communicate to their own Rogue point.
  • Force users to communicate to a Captive Portal.

You can also deauth clients in your network for the way easy reasons, like:

  • Oppose a sibling or a friend of the network just because others are slowing your relationship down.
  • Frustrate people and laugh.

How to Deauth?

For this attack we need a device called aircrack-ng, aircrack-ng is more of a suite containing many tools to assess Wi-Fi network security,

Ok! one last thing, since we are speaking about giving packets we will require a wireless adapter both work in monitor mode and be a packet injector!

What is Monitor Mode?

Monitor mode enables you to take data transmitted and received by wireless accessories and networks nearby. Without it, you can not see which projects are working and what is transpiring inside the network.

What is Packet Injection?

Packet injection enables you to craft and inject or transmit data to wireless plans and networks nearby. Without it, you can not prevent or manipulate any activity from within the network.

  • Step 1: Set up Kali and open up a Terminal
    By typing ifconfig and the enter key on your terminal At the eth0 section in my ifconfig output, you understand that I have inet 10.0.2.15, this is because I am using Kali Linux on a Virtual Organization and I have it attached on a nat network. Don't worry about it, you do not even have to care!

All YOU have to worry about is the wlan0 section that is your broadcast adapter and as you can see mine is not even connected to a network.

  • Step 2 :Setting wireless adapter in monitor mode with airmon-ng

By running the airmon-ng start wlan0 you are setting up your adapter to monitor mode!

  • Step 3: Searching for Victims with airodump-ng

Run-on your terminal => airodump-ng wlan0mon

  • Step 4: Specific Targeting for better information gathering

Now that we know all that we require to know about the aim we have to determine any devices connected to the network.

The commands are airodump-ng -d "target's BSSID" -c "target's channel number" "wireless adapter model name"

  • Step 5 | Deauthenticating Device from the network
aireplay-ng -0 0 -a 50:C7:BF:DC:4C:E8 -c E0:B5:2D:EA:18:A7 wlan0mon

Command instructions:

  • -0 centers deauthentication.

  • 0 is the number of deaths to send 0 means to send them continuously, you can post 10 if you want the target to separate and reconnect.

  • -a 50:C7:BF:DC:4C: E8 is the MAC address of the waypoint we are targeting.

  • -c E0:B5:2D: EA:18:A7 is the MAC address of the customer to deauthenticate; if this is ignored then all customers are deauthenticated.

  • wlan0mon is the name.

  • Step 4 : Stop the attack and take the necessary precautions

Stop the attack and take the necessary precautions

You are now well familiar with the attack and know all the theories a beginner may need! But how could one defend against a deauthentication attack? You can not stop a guy from addressing deauth packets. Instead, you should make sure your network is configured in a form that the deauth drive doesn't allow an attacker to compromise your network.

  • Make sure the network is utilizing WPA2 encryption.
  • Your Wi-Fi passphrase should be quite long and strong.
  • Once you have been separated from your network, make sure that you connect back to a WPA2 protected network and not an apparent one with the same name as yours!

If you have any doubt about the deauthentication don’t hesitate to contact us through the given email. Airzero sec will be your digital solution.

Email:[email protected]

enter image description here

Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

This blog is intended to show how to bypass the anti-virus detection using the Veil framework, as it is a collection of options designed for use during penetration testing. It currently consists of the next modules −

Veil-Evasion − a tool to create antivirus-evading payloads doing a kind of methods and languages Veil-Catapult − a psexec-style payload control system that integrates Veil-Evasion Veil-PowerView − a PowerShell device to gain network situational information on Windows domains Veil-Pillage − a modular post-exploitation framework that merges Veil-Evasion

What is a veil framework?

Based on python, the Veil-Framework is one of the most familiar devices for Anti-Virus deception. You can perform many various Metasploit payloads in c, python, ruby, PowerShell and more. The advantage of this tool is that you can join up a layer of encryption to your payloads. With the right optimization, you can bypass some general AV solutions.

Requirements

To install the Veil- Framework, you are ready to configure the updated Python packages into your device.

How to Install veil framework?

The most important point to remember is that the installation must be enabled with superuser privileges. If you are not using the root account, prepend syntax with sudo or change to the root user before starting. The Veil-Framework is a spectacular tool for avoiding payload detection by the anti-virus software. To install it, you are first required to enable it from Github and execute the below commands.

git clone https://github.com/Veil-Framework/Veil.git cd Veil/
./config/setup.sh --force --silent

How to generate payload?

Step-1: Now, choose the operation Evasion from the list as happens to generate the payload;

Step - 2: To record all the available payloads, choose the list option as usual which will show all the available payloads.

Step - 3: Now, choose your payload using the use syntax

Step - 4: At last, after choosing the payload, choose the py2exe option and hit the create command to generate the desired FUD payload

You can simply see that the runme.bat fully undetectable virus is created and stored in the /usr/share.veil-output/source directory.

If you have any doubt about the veil framework don’t hesitate to contact us through the given email. Airzero sec will be your digital partner.

Email:[email protected]

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/

enter image description here

How To Make A Flutter App With High Security?

When it comes to app development, the biggest concern for developers and the customers that use the app is secured. Do you know most of the people who use digital media time is spent on mobiles and tablets? With this popularity in the usage of smartphones and applications, app security has become the most concern for developers and users. Today most apps fail to clear the mobile security and privacy risks and ultimately put everything at risk.

Here we are explaining how to make the flutter app secured and the security risks a Flutter app is facing:

What are the biggest app security risks?

  • Unauthorized access to your application:
    Giving access to the application without verifying the user’s identity is the biggest threat for security. Flutter can improve various security and authentication plugins in the app. By integrating a plugin, developers can simply and easily add an authentication check in an app.

  • Leaking of sensitive data:
    Nowadays mobile apps contain all kinds of sensitive information, from IDs, passwords, PINs, account details, and more. If an app lacks security then this data can be at risk. Flutter offers a secure safety and privacy storage plugin named asNSUserDefault for IOS and SharedPreferences for Android.

  • Code injections:
    Code injections are one of the most common attackers. They insert unauthorized code in an already existing source code. This can result in major issues like data loss or a total takeover of your application. Application developers can use Flutter plugins which come with instructions that are already inserted into the plugin code.

What are the reasons that startups are considering Flutter for mobile app development:

  • Flutter uses a single codebase for the platforms
  • Flutter provides faster coding with hot reloading
  • App testing can be faster with flutter
  • There are no license fees for flutter
  • Flutter can customize the app with the best design
  • Flutter can build the same UI for the old devices

Additional features of flutter framework:

  • Flutter is mainly known for its productivity and consistency as it has a portable GPU rendering UI that provides access that can work on multiple up-to-date interfaces.
  • Flutter apps are easy and simple to customize and localize, businesses leverage a wider global user base for flutter.
  • Flutter framework provides total support for a wide range of IDEs including Xcode, Android studio and more
  • Flutter is well machined and equipped with native ARM code which makes it more compatible and comfortable with developing enterprise-level apps.

Why should you Hire the best Flutter Mobile App Development Company?

If you are the one who has been searching and trying to invest in a cross-application and choosing a flutter framework for the development and you are concerned about the security of the app, then it is worth choosing a best flutter app development company. The reason is, they are backed by highly eligible developers with the knowledge of the right plugins and understand the importance of integrating completely approved plugins into the app to avoid compromising the security and privacy of the information.

The best part about choosing the best app company with the best cyber security provider is, they follow the proper plan of the app development process and always ensure you the perfect product quality and security by keeping in mind the security and safety is the important part of the app.

Conclusion

No matter how complex and difficult your app is and what framework you have chosen to develop an application, security and privacy is the major concern for any developer that develops apps. So it is worth sparing some time reading all about common yet main security risks of applications and how you can address them with main flutter plugins. To avoid consequences, it is worth partnering with the best cyber security company in Kerala, Airzero Sec to build your app with tighter security.

Since the usage of the application will continue to increase and problems of the app will also rise, but being a developer- it’s your responsibility to ensure safety to the user by simply increasing the security and safety of the app and making sure that details will remain safe.

enter image description here Author - Johnson Augustine
Ethical Hacker and Data Security Researcher
Founder: Airo Global Software Inc
LinkedIn Profile: www.linkedin.com/in/johnsontaugustine/
Email id: [email protected]